CLAIMS 



1- A computer implemented method for tracking movement 
files within a network, the method comprising the steps 

a mobility token manager on a source computer 
detecting an attempt to write a file to a 
target computer; and 
responsive to the detection, the mobility token 
manager writing a mobility token containing 
data concerning at least the file and the 
write operation to the target computer. 

2.. The method of claim 1 wherein: 

the mobility token manager is instantiated within 
a file system filter driver. 

3. The method. of claim 1 wherein: 
the mobility token manager is instantiated as at 

least one system call wrapper. 

4. The method of claim 1 wherein: 
the mobility token contains at least one datum 

concerning the source computer from a group 
of data consisting of: 
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an IP address; 

a computer name; and 

a primary domain controller name. 



1 5. The method of claim 1 wherein: 

2 the mobility token contains at least one datum 

3 concerning the file from a group of data 

4 consisting of: 

5 a file name; 

6 a content -based hash value; 

7 a digital signature; 

8 a version number; 

9. a last modification date; and 

10 .a last modification time. 

1 6. The method of claim 1 wherein: 

2 the mobility token contains at least one datum 

3 concerning a user who has ownership of an 

4 application program attempting to write the 

5 file to the target computer, the datum being 

6 from a group of data consisting of : 

7 a user account name; 

8 a user account number; and 

9 a SID. 
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7. The method of claim 1 wherein: 

the mobility token contains at least one datum 

concerning the attempt to write the file to 
the target computer, the datum being from a 
group of data consisting of: 
a date of the attempted write operation; and 
a time of the attempted write operation. 

8. The method of claim 1 further comprising: 

the mobility token manager compressing at least 
one mobility token. 

9. The method of claim 1 further comprising: 

the mobility token manager encrypting at least . 
one mobility token. 

10. The mqthod of claim 1 further comprising: 

the mobility token manager hiding at least one 
mobility token. 

11. The method of claim 1 further comprising: 

the mobility token manager on the source computer 
determining whether another mobility token 
manager is. running on the target ComputerL- 
and 
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6' the mobility token manager on the source computer 

7 only writing a mobility token to the target 

8 computer responsive to determining that 

9 another mobility token manager is running on 
10 the target computer. 

1 12. The method of claim 1 further comprising: 

2 before writing a mobility token to the target 

3 computer, the mobility token manager 

4 determining whether a mobility token 

5 associated with the file exists; 

6 responsive to results of the determination, the 

7 mobility token manager performing a step 
8. from a group of steps consisting of: 

9 responsive to determining that an associated 

10 mobility token exists, writing 

11 information concerning at least the 

12 . file and the write operation to the 

13 mobility token; and 

14 responsive to determining that an associated 

15 mobility token does not exist, creating 

16 an associated mobility token containing 

17 information concerning at least the 

18 file and the write operation. 
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1 13. The method of claim 1 further comprising: 

2 the mobility token manager writing at least one 

3 instruction directed to a target computer in 

4 the mobility token. 

1 14. The method of claim 1 wherein: 

2 the mobility token contains an indication that 

3 the associated file has been scanned by an 

4 ant i -malicious code scanning engine, and an 

5 indication of a malicious code definition 

6 file used for the ant i -malicious code 

7 scanning. 

1 15. A computer implemented method for tracking j/ 

2 movement of files within a network, the method comprising 

3 the steps of: 

4 a mobility token manager on a target computer 

5 detecting that a mobility token is being 

6 written to the target computer ; 

7 the mobility token manager reading the mobility 

8 token; and 

9 the mobility token manager determining relevant 

10 information concerning a file associated 

11 with the mobility token. 
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The method of claim 15 further comprising: 
the mobility token manager merging data from the 
mobility token into a mobility token data 
store containing information from at least 
one other mobility token. 

The method of claim 15 further comprising: 
the mobility token manager reading at least one 
instruction for a source computer in the 
mobility token; and 
the mobility token manager executing the at least 
one instruction. 

The method of claim 15 further comprising: 
the mobility token manager reading the mobility 
token; and 

in response to contents of the mobility token, 
the mobility token manager rejecting the 
associated file. 

The method of claim 15 further comprising: 
the mobility token manager reading the mobility 
token; 
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4 from the contents of the mobility token, the 

5 mobility token manager determining whether 

6 the associated file has been scanned by an 

7 anti-malicious code scanning engine using a 

8 current malicious code definition file; and 
■ 9 in response to determining that the file has not 

10 been scanned using a current malicious code 

11 definition file, scanning the file for 

12 malicious code. 

1 20. The method of claim 15 wherein: 

2 the mobility token manager is instantiated within 

3 a file system filter driver , 

1 21. The method of claim 15 wherein: 

2 the mobility token manager is instantiated as at least 

3 one system call wrapper. 

1 . 22. A computer system for tracking movement of files ^ 

2 within a network, the computer system comprising: 

3 a software portion configured to detect an 

4 attempt to write a file to a target 

5 computer; and 

6 a software portion configured to write a mobility 

7 token containing data concerning at least 
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the file and. the write operation to the 
target computer, responsive to the 
detection. 

1 23. A. computer readable medium containing a computer 

2 program, product for tracking movement of files within a 

3 network, the computer program product comprising: 

4 program code for detecting that a mobility token 

5 is being written to a computer; 

6 program code for reading the mobility token; and 

7 program code for determining relevant information 

8 concerning a file associated with the 

9 mobility token. 

10 
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